bankr-signals

[Skill Scanner] Natural language instruction to download and install from URL detected All findings: [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [HIGH] data_exfiltration: Outbound data post or form upload via curl/wget detected (NW002) [AITech 8.2.3] [HIGH] data_exfiltration: Outbound data post or form upload via curl/wget detected (NW002) [AITech 8.2.3] [HIGH] data_exfiltration: Outbound data post or form upload via curl/wget detected (NW002) [AITech 8.2.3] [HIGH] data_exfiltration: Outbound data post or form upload via curl/wget detected (NW002) [AITech 8.2.3] [HIGH] data_exfiltration: Outbound data post or form upload via curl/wget detected (NW002) [AITech 8.2.3] [HIGH] data_exfiltration: Outbound data post or form upload via curl/wget detected (NW002) [AITech 8.2.3] [HIGH] data_exfiltration: Outbound data post or form upload via curl/wget detected (NW002) [AITech 8.2.3] [HIGH] data_exfiltration: Outbound data post or form upload via curl/wget detected (NW002) [AITech 8.2.3] The fragment is largely aligned with its stated purpose (a Bankr Signals integration for provider registration, signal publication, and read operations). It is not inherently malicious, but it contains credential-handling patterns (plaintext API key placeholder) and external signing dependencies that warrant cautious secret management and trust in the external signing service. Treat as MEDIUM risk due to credential exposure potential and external dependency risk; not malicious by design given the described workflow. LLM verification: This skill is functional and internally consistent with its stated purpose (publishing and consuming transaction-verified trading signals). I did not find code that is clearly malicious (no obfuscated payloads, reverse shells, or hidden exfiltration). However, the recommended 'Bankr wallet' flow requires storing and sending a privileged API key (bk_...) to a third-party signing service (api.bankr.bot) and having that service produce signatures that are then posted to bankrsignals.com. That deleg